[wp-hackers] Security at Wordpress

John Joseph Bachir jjb at ibiblio.org
Mon Apr 24 17:12:35 GMT 2006

On Mon, 24 Apr 2006, John Joseph Bachir wrote:

> Just on the subject of nonces and POST... even if all side-effect 
> actions used POST, there are still security vulnerabilities that a nonce 
> system will defeat. One example is making a webpage that looks just like 
> the admin interface but isn't, and then using social engineering to get 
> the victim (who has an authorization cookie) to use the impostor form. 
> (checking admin referers also defeats some or all of these cases as 
> well)

Whoops, just saw that Owen already mentioned this 10 emails back :)

aim/yim/msn/jabber.org: johnjosephbachir

More information about the wp-hackers mailing list